Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The present Office Action is responsive to communications received 3/18/2021.
Claims 1-13 and 17-20 are pending. Claims 14-16 are withdrawn from consideration.

Response to Arguments
Applicant’s arguments received on 3/18/2021 are addressed as follows:
Regarding the prior art rejection for claims 1, 6 and 9, Applicant argues:
“... none of the references disclose "probing [an] external IP address by transmitting a query designed to elicit a response ... that indicates which services are running on the external IP address; and evaluating a risk posed by [a] public communication activity ... by analyzing the response to detect whether any services that are vulnerable to unauthorized access are running on the external IP address," as recited in independent claim 1. Independent claims 6 and 9 recite a similar feature.”
Applicant adds:
Ranum does not disclose probing an "external IP address that does not reside on the internal network," as recited in independent claim 1. In para. [0016], Ranum explains that the active scanners can "interrogate any suitable device in the network to obtain information describing a network snapshot at a particular point in time." In order to gain a network snapshot, however, those devices must be in the network. See, for example, para. [0030] that specifies the active 
The examiner respectfully disagrees: The active scanners in Ranum probe the internal network as well as the external network. Although Ranum abundantly cites the internal network being probed, by way of examples (use of “for example”, e.g.)  Ranum discloses clearly the probing of the external network, as seen in the following paragraph: 
[0035]... one or more of the active scanners 210 may be distributed at a location that provides visibility into portions of a remote network 260. For example, as shown in FIG. 1, one or more of the active scanners 210 may be distributed at a location in communication with a remote network 260, wherein the term "remote network" used herein may refer to the Internet, a partner network, or any other suitable external network ... Accordingly, in one implementation, limiting the portions in the network and/or the remote network 260 that the active scanners 210 are configured to interrogate, probe, or otherwise scan and having the active scanners 210 perform the scans in parallel may reduce the amount of time that the active scans consume because the active scanners 210 can be distributed closer to scanning targets (e.g., routers 240, internal firewalls 280, external firewalls 284, servers 230, hosts 230, devices 230, etc.).
Ranum further discloses the probing of hosts is for identifying potential risk posed by the activity to the internal network and teaches “receiving the response from the 
Regarding claim 2, Applicant argues Bradshaw does not teach 
“acquiring global netflow that includes all traffic having a certain characteristic that traversed the Internet during a certain time interval; and filtering the global netflow to obtain the local netflow ... that crossed a perimeter of the internal network during the certain time interval", as recited in claim 2  in amended claim 17.
Applicant adds Bradshaw is concerned rather with the presentation of events rather than the acquisition of information regarding the traffic flows and does not teach the aforementioned limitation. The examiner respectfully disagrees:
Bradshaw is directed to depicting the paths of Netflow events ([0015][0052] and Fig. 9, [0171]). Mapping paths of Netflow events as taught by Bradshaw require first collecting or acquiring such Netflow paths. As known to a skilled artisan, Neflow is a protocol invented by Ciso.TDM and has become a de ‘facto standard’ for monitoring (see Bradshaw [0015]). Bradshaw discloses clearly acquiring Netflow records using Flow Capacitor ([0155]); Bradshaw discloses at any time overwhelming amount of collected data “ the volume of data existing at any point in time can be overwhelming. Conventional techniques for displaying such data make it very difficult for a user to obtain the "big picture.") and proposes a new flow of displaying the Netflow path over time (Fig. 18-20) [0036]. Therefore, Bradshaw discloses "acquiring global netflow that includes all traffic having a certain characteristic that traversed the Internet 1875663.1 Docket No.: 127387-8004.US01U.S. Application No. 16/166,906during a certain time interval", as recited in claim 2  in amended claim 17.
Bradshaw also discloses “The present invention provides a method for visually depicting complex events. Software agents are preferably employed to assist the human operator by aggregating, correlating, and analyzing events in a way that allows a subset of specific data to be emphasized in the visual display [0040]”, teaching displaying areas of interest by selecting source/destination IP address of interest ([0039][103]), therefore suggesting filtering out for depiction the areas of concerns from the other areas ([0144]) and teaching "filtering the global Netflow to obtain ... local Netflow ... that crossed a perimeter of [an] internal network during the certain time interval", as recited in claim 2 and in amended claim 17.
Regarding the other limitations recited in amended claim 17, the scope of claim 17 has changed and the new scope is addressed below.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly 

Claim 17 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 17 recites:   comparing (i) the external IP address and (ii) the set of external IP addresses to a source list that includes one or more external IP addresses known to be associated with an increased security risk.
The examiner found support in the specifications for:  comparing (i) the external IP address to a source list ... but did not find support for: comparing ...(ii) the set of external IP addresses to a source list ... ”. If the examiner used oversight regarding the limitations, the applicant is requested to point to the examiner the substance of the limitations into applicant’s disclosure. Otherwise, Applicant is requested to modify the claim language such that the limitations are supported in the specifications.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/18/2021, 4/13/2021 and 5/24/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Objections
Claim 9 recites: “receiving the response from the internal IP address that indicates which services are running on the external IP address”. The examiner believes the limitation is in error and should recite: “receiving the response from the internal IP address that indicates which services are running on the internal IP address”.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1, 2-3, 6-7 of the present application are rejected on the ground of nonstatutory double patenting as being anticipated by claim 15 of U.S. application 15984030 (‘030) . Although the claims at issue are not identical, they are not patentably distinct from each other because limitations in claims 1 and 2 are anticipated by limitations in claim 15 as follows:
Claim 1 (and substantially claim 6) are anticipated by claim 15 of ‘030:  A computer-implemented method for estimating risk posed by a public communication activity involving an internal Internet Protocol (IP) address that resides on an internal network associated with an organization, the method comprising: examining local netflow to detect a public communication activity involving an internal IP address that resides on (claim 11 of ‘030: ‘examining the local netflow to detect a communication activity involving an internal Internet Protocol (IP) address that resides on the internal network and an external IP address that does not reside on the internal network); probing the external IP address by transmitting a query designed to elicit a response (claim 15 of ‘030: probing the external IP address by transmitting a query designed to elicit a response from the external IP address); receiving the response from the external IP address that indicates which services are running on the external IP address (claim 15 of ‘030: receiving the response from the external IP address ... analyzing the response to detect services ... running on the external IP address); and evaluating a risk posed by the public communication activity to the internal network by analyzing the response to detect whether any services that are vulnerable to unauthorized access are running on the external IP address (claim 15 of ‘030: wherein said evaluating comprises analyzing the response to detect whether any services determined to be vulnerable to unauthorized access are running on the external IP address).  
Claim 2 and substantially claim 7 are anticipated by claim 15 of ‘030: The computer-implemented method of claim 1, further comprising: acquiring global netflow that includes all traffic having a certain characteristic that traversed the Internet during a certain time interval (claim 15 of ‘030 (in claim 11): acquiring global netflow that includes all traffic that traversed the Internet over a certain time interval from multiple sources); filtering the global netflow to obtain the local netflow that includes all traffic having the certain characteristic that crossed a perimeter of the internal network during the certain time interval (claim 15 of ‘030 (in claim 11): filtering the global netflow to obtain local netflow for an internal network associated with an organization ... wherein the local netflow includes all traffic that traversed the internal network over the certain time interval).
Claim 3 is anticipated by claim 15 of ‘030: The computer-implemented method of claim 1, further comprising: determining which data packets included in the global netflow have the certain characteristic by examining a structure of each data packet (claim 15 of ‘030 (in claim 11): identifying (i) first traffic in the global netflow that originates from the internal).
Claims 4-5 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 15 of ’30, in view of US 20130222387 to Bradshaw  et al., hereinafter Bradshaw.
Regarding claim 4, claim 15 of ‘030 discloses the computer-implemented method of claim 3 but does not teach, yet Bradshaw teaches wherein said determining includes examining content of a header of each data packet (Bradshaw [0019]-[0023] information such as source/destination, protocol type ... known to be information located in packet header). It would have been obvious to a skilled artisan before the present application was filed to examine the content of packet header as taught by Bradshaw because it is well-known in the art that a packet header contains specific data structure used for identifying the packet and routing the packet.
Regarding claim 5, claim 15 of ‘030 discloses the computer-implemented method of claim 3 but does not teach, yet Bradshaw teaches wherein the structure is indicative of whether each data packet is routed in accordance with Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) (Bradshaw [0008]-[0010],[0014]: use 
 Claim 8 is rejected on the ground of nonstatutory double patenting as being unpatentable over claims 15 of ’30, in view of US 20040177144 to Yip, hereinafter Yip.
Regarding claim 8, claim 15 of ‘030 discloses the computer-implemented method of claim 7 but does not teach, yet Bradshaw teaches wherein the global netflow is acquired from one or more Internet service Providers (ISPs), one or more content delivery networks (CDNs), or any combination thereof (Yip discloses monitoring by an ISP local communications ([0005][0006])). It would have been obvious to a skilled artisan to collect traffic data from ISPs, as taught by Yip because ISPs provide Internet access to clients and are broadly disseminated in the network and would be able to collect monitoring traffic data all over the Internet.

Claims 9-13 of the present application are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 4 of U.S. application 16167029 (‘029), in view of US 20140013434 to Ranum et al., hereinafter Ranum. 
Regarding claim 9, claim 1 of ‘029 discloses: A computer-implemented method for estimating risk posed by a public communication activity involving an internal Internet Protocol (IP) address that resides on an internal network associated with an (claim 1 of ‘029: ‘scanning mechanisms deployed on the Internet’), the method comprising: examining local netflow to detect a public communication activity involving an internal IP address that resides on the internal network and an external IP address that does not reside on the internal network (claim 1 of 029): ‘acquire local netflow that includes all traffic that crossed a perimeter of the internal network during a certain time interval, examine the local netflow to detect public communication activities, each public communication activity involving an internal IP address that resides on the internal network and an external IP address that does not reside on the internal network’) ; probing the internal IP address by transmitting a query designed to elicit a response; receiving the response from the internal IP address (claim 1 of 029: ‘probe at least one Internet Protocol (IP) address by transmitting a query designed to elicit a response, and create probe data from any responses received from the at least one IP address’); and evaluating a risk posed by the public communication activity to the internal network by analyzing the response to detect whether any services that are vulnerable to unauthorized access are running on the internal IP address (claim 1 of 029  ‘evaluate a risk to the internal network based on the local netflow and the probe data’). Claim 1 of ‘029 des not explicitly teach the response that indicates which services are running on the internal IP address, but Ranum discloses the limitation  
Regarding claim 10,  claim 1 of ‘029 in view of Ranum discloses the computer-implemented method of claim 9, further comprising: determining that a vulnerable service is running on the internal IP address; generating a notification that identifies the vulnerable service; and transmitting the notification to a computing device associated with an administrator responsible for managing the internal network (Ranum, [0053][0056]: issue alerts to appropriate personal in order to deploy anti-malware, see motivation in claim 9).  
Regarding claim 11,  claim 1 of ‘029 in view of Ranum discloses the computer-implemented method of claim 10, wherein the notification includes a recommendation to perform remediation action designed to addresses an increased security risk due to the vulnerable service (Ranum [0056], see motivation in claim 9)
Regarding claim 12 claim 1 of ‘029 in view of Ranum discloses: The computer-implemented method of claim 9 (see teachings by claim 1 of ‘029 + Ranum above); additionally claim 4 of ‘029 discloses , wherein the public communication activity involves a transmittal of a data packet from the internal IP address to the external IP address across a perimeter of the internal network (claim 4 of ‘029: ‘examine traffic originating from, or directed to, each external IP address’).
Regarding claim 13 claim 1 of ‘029 in view of Ranum discloses: The computer-implemented method of claim 9 (see teachings by claim 1 of ‘029 + Ranum above), additionally, claim 4 of ‘029 discloses wherein the communication activity involves a transmittal of a data packet from the external IP address to the internal IP address across a perimeter of the internal network (claim 4 of ‘029: ‘examine traffic originating from, or directed to, each external IP address’).

Claims 9-13 is rejected under the ground of nonstatutory double patenting as being unpatentable over claims 1, 3 and 8 of US application 16166906 (‘906), in view of US 20140013434 to Ranum et al., hereinafter Ranum, 
Claim 9: A computer-implemented method for estimating risk posed by a public communication activity involving an internal Internet Protocol (IP) address that resides on an internal network associated with an organization, the method comprising: examining local netflow to detect a public communication activity involving an internal IP address that resides on the internal network and an external IP address that does not reside on the internal network (claim 1 of ‘906: ‘filtering the global netflow to obtain first data indicative of local netflow, wherein the local netflow includes all traffic having the certain characteristic that crossed a perimeter of the internal network ..., claim 3 of ‘906: ‘wherein the local netflow includes data packets transmitted by external IP addresses to internal IP addresses, data packets transmitted by internal IP addresses to external IP addresses, or any combination thereof’); probing the internal IP address by transmitting a query designed to elicit a response; receiving the response from the internal IP address (claim 8 of ‘906 ‘probing each internal IP address included in the first list by transmitting a query designed to elicit a response; and creating probe data from any responses received from the internal IP addresses);
Claims in ‘906 are silent about response that indicates which services are running on the external IP address, evaluating a risk ... In an analogous art, Ranum  discloses a response indicating running processes (([0057]: scan hosts to determine running processes thereon, the scanning target beings elements in the internal or external network  ([0035]); [0036] obtain snapshots of services running in internal hosts)) and probing internal addresses and receiving responses ([0031]: active scanning of hosts to elicit responses from the hosts); evaluating a risk posed by the public communication activity to the internal network by analyzing the response to detect whether any services determined to be vulnerable to unauthorized access are running on the internal IP address ([0033][0036]: identify vulnerabilities, access control violations based on responses). It would have been obvious to a person skilled in the art before the effective filing date of the instant application to probe internal addresses and detect vulnerabilities running on the hosts because it would allow actively and more efficiently  collecting data to detect malware, as opposed to using passive scanning or monitoring only.
Regarding claim 10, claims 1, 3, 8 of ‘0906 in view of  Ranum disclose the computer-implemented method of claim 9, further comprising: determining that a vulnerable service is running on the internal IP address; generating a notification that identifies the vulnerable service; and transmitting the notification to a computing device associated with an administrator responsible for managing the internal network (Ranum, [0053][0056]: issue alerts to appropriate personal in order to deploy anti-malware, see claim 9 for motivation).  
Regarding claim 11, claims 1, 3, 8 of ‘0906 in view of  Ranum  disclose the computer-implemented method of claim 10, wherein the notification includes a recommendation to perform remediation action designed to addresses an increased security risk due to the vulnerable service (Ranum [0056]).  
Regarding claim 12, claims 1, 3, 8 of ‘0906 in view of  Ranum  disclose the computer-implemented method of claim 9, wherein the public communication activity involves a transmittal of a data packet from the internal IP address to the external IP address across a perimeter of the internal network (Ranum [0053]: an internal address that visited an external network address).  
Regarding claim 13, claims 1, 3, 8 of ‘0906 in view of  Ranum  disclose the computer-implemented method of claim 9, wherein the communication activity involves a transmittal of a data packet from the external IP address to the internal IP address across a perimeter of the internal network (Ranum [0053]: monitor inbound connections to internal network).  
The double patenting rejections presented herein are provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:



Claims 1-7, 9-13 are rejected under 35 U.S.C. 103 as being unpatentabe over US 20140013434 to Ranum et al., hereinafter Ranum and further in view of US 20130222387 to Bradshaw  et al., hereinafter Bradshaw. Ranum is cited in IDS dated 8/13/2020.
Regarding claim 1, Ranum discloses:
A computer-implemented method for estimating risk posed by a public communication activity involving an internal Internet Protocol (IP) address that resides on an internal network associated with an organization ([0035]: monitoring internal network to detect malware ([0023])), the method comprising: examining local ([0023][0053]: monitor communication between internal host and external destination address using passive scanners and logs including Netflow logs ([0053][0077]); probing the external IP address by transmitting a query designed to elicit a response ([0023][0035][0074]:active scanners configured to interrogate remote host in external network ); receiving the response from the external IP address ([0031][0035]: active scanners communicating packets to hosts to elicit responses from the hosts in external network) that indicates which services are running on the external IP address ([0051]: the scan identifies signs relating to malicious software running in the target host) ; and evaluating a risk posed by the public communication activity to the internal network by analyzing the response to detect whether any services that are vulnerable to unauthorized access are running on the external IP address ([0051][0054],[0074]: use active scanners to identify vulnerability such as backdoor, malware on target host,  that may be  exploited to introduce malware into the network).  
Ranum discloses the use of Netflow logs in addition to the passive monitoring ([0053][0077]) but does not explicitly teach the local netflow is being used to detect communications. However, collecting traffic data using netflow is well-known in the art, as evidenced by Bradshaw, who in an analogous art, discloses a method to analyze and visualize event flows (Abstract), monitored by Netflow protocol to obtain an overall picture of the Internet ([0035][0036]). Therefore, it would have been obvious to a skilled artisan before the application’s effective filing date to utilize “netflow” to acquire traffic information and teach the claim limitations because netflow is “a common protocol for monitoring traffic ... and has become a de facto industry standard” (Bradshaw [0015]), Netflow providing a collection of information for analysis purposes [0016]-[0026]).


Regarding claim 2, Ranum in view of Bradshaw discloses the computer-implemented method of claim 1, further comprising: acquiring global netflow that includes all traffic having a certain characteristic that traversed the Internet during a certain time interval (Bradshaw [0036] Netflow data to obtain an overall picture for the entire Internet, Bradshaw [0042][0172]: flows during a time interval- Bradshaw combined to Ranum for the reason presented in claim 1); filtering the global netflow to obtain the local netflow that includes all traffic having the certain characteristic that   
Regarding claim 3, Ranum in view of Bradshaw discloses the computer-implemented method of claim 1, further comprising: determining which data packets included in the global netflow have the certain characteristic by examining a structure of each data packet (Bradshaw, [0143]-0146],, see claim 1 for motivation to combine).
Regarding claim 4, Ranum in view of Bradshaw discloses the computer-implemented method of claim 3, wherein said determining includes examining content of a header of each data packet (Bradshaw [0019]-[0023] information such as source/destination, protocol type ... known to be information located in packet header).  
Regarding claim 5, Ranum in view of Bradshaw discloses the computer-implemented method of claim 3, wherein the structure is indicative of whether each data packet is routed in accordance with Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) (Bradshaw [0008]-[0010],[0014]: use standard format of IPV4 or IPv6 specifying the Internet address, to identify source/destination address (Bradshaw ([0019][0020], see motivation to use Bradshaw in claim 1). 
Regarding claim 6, the claim recites substantially the same content as claim 1 and is rejected using the rationales for rejecting claim 1 substantially.
Regarding claim 7, the claim recites substantially the same content as claim 2 and is rejected using the rationales for rejecting claim 2 substantially.

Regarding claim 9, Ranum discloses a computer-implemented method for estimating risk posed by a public communication activity involving an internal Internet Protocol (IP) address that resides on an internal network associated with an organization ([0035]: monitoring internal network to detect malware [0023]), the method comprising: examining local ([0023][0035][0053]: monitor communication between internal host and external destination address using passive scanners and logs including Netflow logs ([0053][0077]); probing the internal IP address by transmitting a query designed to elicit a response; receiving the response from the internal IP address ([0031]: actively scan local hosts, get a response from the hosts) that indicates which services are running on the external IP address ([0057]: scan hosts to determine running processes thereon, the scanning target beings elements in the internal or external network  ([0035]); [0036] obtain snapshots of services running in internal hosts ) ; and evaluating a risk posed by the public communication activity to the internal network by analyzing the response to detect whether any services that are vulnerable to unauthorized access are running on the internal IP address ([0051][0054][0057][0074]: information from the active scanners used to identify vulnerability such as backdoor, malware,  that may be  exploited to introduce malware into the internal network).  
Ranum discloses the use of Netflow logs in addition to the passive monitoring ([0053][0077]) but does not explicitly teach the local netflow is being used to detect  However, collecting traffic data using netflow is well-known in the art, as evidenced by Bradshaw, who in an analogous art, discloses a method to analyze and visualize event flows (Abstract), monitored by Netflow protocol to obtain an overall picture of the Internet ([0035][0036]). Therefore, it would have been obvious to a skilled artisan before the application’s effective filing date to utilize “netflow” to acquire traffic information and teach the claim limitations because netflow is “a common protocol for monitoring traffic ... and has become a de facto industry standard” (Bradshaw [0015]), Netflow providing a collection of information for analysis purposes [0016]-[0026]).

Regarding claim 10, Ranum in view of Bradshaw discloses the computer-implemented method of claim 9, further comprising: determining that a vulnerable service is running on the internal IP address; generating a notification that identifies the vulnerable service; and transmitting the notification to a computing device associated with an administrator responsible for managing the internal network (Ranum, [0053][0056]: issue alerts to appropriate personal in order to deploy anti-malware).  
Regarding claim 11, Ranum in view of Bradshaw discloses the computer-implemented method of claim 10, wherein the notification includes a recommendation to perform remediation action designed to addresses an increased security risk due to the vulnerable service (Ranum [0056]).  
Regarding claim 12, Ranum in view of Bradshaw discloses the computer-implemented method of claim 9, wherein the public communication activity involves a transmittal of a data packet from the internal IP address to the external IP address 
Regarding claim 13, Ranum in view of Bradshaw discloses the computer-implemented method of claim 9, wherein the communication activity involves a transmittal of a data packet from the external IP address to the internal IP address across a perimeter of the internal network (Ranum [0053]: monitor inbound connections to internal network).  

Claim 8 is rejected under 35 USC 103 as being unpatentable over Ranum, and Bradshaw, in view of US 20040177144 to Yip, hereinafter Yip.
Regarding claim 8, Ranum in view of Bradshaw discloses the computer-implemented method of claim 7 ; Bradshaw discloses collecting traffic data from third-party provides ([0059]) but Ranum in view of Bradshaw  but does not teach wherein the global netflow is acquired from one or more Internet service Providers (ISPs), one or more content delivery networks (CDNs), or any combination thereof.  
In an analogous art, Yip discloses monitoring by an ISP local communications ([0005][0006]). It would have been obvious to a skilled artisan to collect traffic data from ISPs, as taught by Yip because ISPs provide Internet access to clients and are broadly disseminated in the network and would be able to collect monitoring traffic data all over the Internet.

Claim 17 is rejected under 35 USC 103 as being unpatentable over Bradshaw, in view Ranum.
Regarding claim 17, Bradshaw discloses:
 A computer-implemented method for estimating risk posed by a public communication activity involving an internal Internet Protocol (IP) address that resides on an internal network managed by an organization, the method comprising: acquiring global netflow that includes all traffic that traversed the Internet over a certain time interval ([0036][0042][0071]: get Netflow records from routers to obtain a depiction of the entire Internet during a time interval, wherein the certain characteristic is an event e.g. ‘request event’); filtering the global netflow to obtain local netflow that includes all traffic that crossed a perimeter of the internal network over the certain time interval ([0039][0040][0103][014]: filter data from flows, visualize group of source and destination IP addresses of interest);
Bradshaw discloses mapping source and destination addresses of event flows ([0040][0041][0073]), but does not explicitly teach: 
 examining the local netflow to detect a public communication activity involving an internal IP address that resides on the internal network and an external IP address that does not reside on the internal network; examining the global netflow to identify a set of external IP addresses with which the external IP address communicated; comparing (i) the external IP address and (ii) the set of external IP addresses to a source list that includes one or more external IP addresses known to be associated with an increased security risk; and evaluating, based on said comparing, a risk posed by the public communication activity to the internal network.  
In an analogous art, Ranum discloses monitoring the network using active and passive scanning of traffic at particular period of times ([0010][0015]). Ranum teaches: examining the local netflow to detect a public communication activity involving an internal IP address that resides on the internal network and an external IP address that does not reside on the internal network ([0023][0035][0053]: identify source and destination addresses in flows between internal host and external hosts); examining the global netflow to identify a set of external IP addresses with which the external IP address communicated ([0023]: Ranum discloses scanning web application on the remotely scanned host to identify external network addresses to which the web application points to, enumerate active connections on the remotely scanned hosts to identify source or destination address of connections ); comparing (i) the external IP address and (ii) the set of external IP addresses to a source list that includes one or more external IP addresses known to be associated with an increased security risk ([0023]: remotely scanned hosts with IP that appears on list of known botnets); and evaluating, based on said comparing, a risk posed by the public communication activity to the internal network ([0023][0052]: identify botnet activity).  
It would have been obvious to a skilled artisan before the effective filing date of the instant application to parse the collected Neflow data as taught by Bradshaw and identify IP addresses involved in the communication activities because it would allow easily comparing the IP addresses to known database of addresses representative of malware (Ranum [0052]), and taking remedial actions to protect the network.

Claims 18-19 are rejected under 35 USC 103 as being unpatentable over Bradshaw and Ranum, in view of US 20060004719 to Lawrence et al, herein Lawrence.
Regarding claim 18, Bradshaw in view of Ranum discloses the computer-implemented method of claim 17 although Ranum teaches the use of known list of botnet or “threatlist” ([0023][0078]), Ranum or Bradshaw does not teach  further comprising: retrieving the source list from a website maintained by the Federal Government of the United States.  
In an analogous art, Lawrence discloses a risk server analyzing data collected from different sources ([0064], performing a risk assessment to identify the presence of known-risk related keywords ([0134]), querying for instance OFAC (office of Foreign Assets Control data ([0414] Fig. 43). Therefore Lawrence teaches retrieving the source list from a website maintained by the Federal Government of the United States. It would have been obvious to a person skilled in the art before the present application filing date to perform risk assessment using a source list provided by the US Government because it would allow checking compliance against a reliable, authoritative list  i.e a Global Regulatory Information Database, enhancing the risk assessment.
Regarding claim 19, Bradshaw in view of Ranum and Lawrence discloses the computer-implemented of claim 18, wherein content of the source list changes over time (Lawrence [0134]: receive list whenever it is updated), wherein said retrieving is performed on a periodic basis (Ranum discloses a periodic scanning ([0031][0041], and performing periodic detection of risk ([0081]; it would have been obvious to detect risk using the list taught by Lawrence, periodically, in order to identify new malware using a reliable source).  

Claim 20 is rejected under 35 USC 103 as being unpatentable over Bradshaw and Ranum, in view of US 8032594 to Helsper et al, hereinafter Helpser.
Regarding claim 20, Bradshaw in view of Ranum discloses the computer-implemented method of claim 17, but does not teach wherein the source list includes at least one IP address associated with a foreign corporation deemed to be a security risk by the Office of Foreign Assets Control.   In an analogous art, Helsper discloses collecting email, extracting IP address from the header for scoring of the email , checking the email against a block list to determine if it is associated with a relay server (col. 3, lines 21-54); the IP address is associated with a scoring for OFAC County (col. 3, lines 31-40). Therefore Helsper teaches the limitation. It would have been obvious to a skilled artisan before the present application was filed to have the source list include an IP address associated with  OFAC scoring because it would tie the address to a risk level designated by OFAC, enhancing the risk assessment (col. 2, lines 57-67).
 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CATHERINE B THIAW whose telephone number is (571)270-1138.  The examiner can normally be reached on Monday-Friday 7am-4pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, CARL G COLIN can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/Catherine Thiaw/Primary Examiner, Art Unit 2493                                                                                                                                                                                                        6/22/2021